Artificial Intelligence & Machine Learning
,
Governance & Risk Management
,
Next-Generation Technologies & Secure Development
Allied Cyber Agencies Urge Leaders to Act Now as Frontier Models Reshape Risk
The cybersecurity agencies of the Five Eyes intelligence alliance warned that frontier artificial intelligence models are set within months to reshape offensive hacking across the globe.
See Also: Edge Transformation: Top 5 SASE Predictions and Trends
The allied cyber agencies’ Monday statement urges government and business leaders to immediately act or fall behind as threats accelerate faster than traditional defenses can keep pace. The three-page advisory directs cyber defenders to assess risks, readiness and accountability frameworks and prioritize foundational cybersecurity practices and controls.
“The timeline is not years, it is months,” the agencies wrote.
The guidance is light on specifics and largely restates long-standing advice, such as patching flawed software quickly and keeping systems offline unless they need to be exposed. Analysts told ISMG the document reads as a warning aimed at boards and executives.
Shane Fry, chief technology officer at RunSafe Security and a former computer scientist for the Pentagon, said the statement’s core message is that AI is rewriting the math of an attack.
“AI is changing the economics and speed of cyberattacks,” he said, adding that as adversaries use the technology to find and exploit software flaws faster, organizations can no longer lean exclusively on patch cycles and vulnerability management. “The window between discovery and exploitation is shrinking to the point where remediation alone may not keep pace,” Fry said.
The statement was written by the leaders of the U.S. Cybersecurity and Infrastructure Security Agency, the National Security Agency, the United Kingdom’s National Cyber Security Centre, the Canadian Centre for Cyber Security, Australia’s Signals Directorate and Cyber Security Centre and New Zealand’s National Cyber Security Centre.
AI is already lowering the barrier for threat actors and compressing the window between when a vulnerability is discovered and when it is exploited. The joint statement describes the shift as a core business risk rather than an information technology problem.
Operational technology and critical infrastructure face the most potential for embedded risks, Fry said, where patching can stretch into months or years and equipment often stays in service for decades. The priority has to move from finding flaws to neutralizing them, he added.
The agencies urged technology providers to test their products thoroughly and build systems that fail safely by default. Monday’s warning follows guidance the same agencies released in May cautioning against the rapid rollout of agentic AI systems capable of planning and acting on their own (see: Five Eyes Sound Alarm on Autonomous AI Security Risks).
The statement also comes weeks after CISA directed civilian federal agencies to fix, disable or remove the most serious vulnerabilities within three calendar days – a far tighter timeline than previous patch cycles. The agency cited the prospect of flaws being exploited autonomously and at scale.